About
This page is created for project "Crash Reporter for Tor Browser" (GSoC 2017).
Crash Reporter will be helping developers to improve Tor Browser, find bugs and crash reasons easier, that would make Tor Browser more stable and user-friendly.
Mozilla Firefox has the crash reporter based on Google BreakPad with server side - Mozilla Socorro. The work is focused at adapting Firefox Crash Reporter for Tor Browser (Linux version). And also adapting Socorro for changed Crash Reporter and run it as “.onion” service.
Full project proposal can be found at [#point1 blog] or in [#point2 PDF file]. Project source code is available on [#point3 GitHub].
Analysis of the Privacy Implications of Crash Report Data
In this project, Crash Reporter client is a linux-based applications and libraries (including Google Breakpad) that collects and sends crash data to Crash Reporter Server side. Crash Reporter Client collects various data, such as OS name and version, hardware info, browser version, browser install time, stack traces and etc. Most of data fields we can consider as privacy-sensitive or non privacy-sensitive, but there are fields and their combinations we can't be sure about.
**Data fields in crash report **
| Data field | Description | Is privacy-sensitive | Comment |
|---|---|---|---|
| Accessibility | |||
| AbortMessage | |||
| AdapterDeviceID | |||
| AdapterDriverVersion | |||
| AdapterSubsysID | |||
| AdapterVendorID | |||
| Add-ons | List of installed extensions | ? | It's all about whether the user has atypical extensions to identify him (think about the option to send only yes/no for difference from the default state) |
| AddonsShouldHaveBlockedE10s | no | ||
| AppInitDLLs | |||
| AvailablePageFile | |||
| AvailablePhysicalMemory | |||
| AvailableVirtualMemory | |||
| BIOS_Manufacturer | |||
| BreakpadReserveAddress | |||
| BreakpadReserveSize | |||
| BuildID | The unique build identifier of this version, which is a timestamp of the form YYYYMMDDHHMMSS | no | |
| CoGetInterfaceAndReleaseStreamFailure | |||
| CoMarshalInterfaceFailure | |||
| ContentSandboxCapabilities | no | ||
| ContentSandboxCapable | |||
| ContentSandboxLevel | |||
| CPUMicrocodeVersion | |||
| CrashAddressLikelyWrong | |||
| CrashTime | ? | Can it be combined with URL? | |
| CycleCollector | |||
| DOMIPCEnabled | no | ||
| E10SCohort | no | (remove it) | |
| EMCheckCompatibility | no | ||
| EventLoopNestingLevel | no | ||
| FlashVersion | |||
| FramePoisonBase | no | ||
| FramePoisonSize | no | ||
| GPUProcessLaunchCount | |||
| GPUProcessStatus | |||
| GraphicsStartupTest | |||
| Hang | |||
| IAccessibleConfig | |||
| InstallTime | time when this version was installed | yes | user could be identified by install time |
| InterfaceRegistrationInfoParent | |||
| InterfaceRegistrationInfoChild | |||
| ipc_channel_error | |||
| IpcCreateTransportDupErrno | |||
| IPCFatalErrorMsg | |||
| IPCFatalErrorProtocol | |||
| IPCMessageName | |||
| IPCShutdownState | |||
| IPCSystemError | |||
| IPCTransportFailureReason | |||
| IsGarbageCollecting | |||
| JavaStackTrace | |||
| JSLargeAllocationFailure | |||
| JSOutOfMemory | |||
| mCrashCriticalKey | |||
| MozCrashReason | |||
| modules (list) | all the system libraries loaded at the time of the crash | no | (all injected libs make you more fingerprintable) |
| Notes | Special field for addition info (suJSOutOfMemorych as OpenGL version) | ? | (are you going to send hardware info?) |
| NumberOfPendingIPC | |||
| OOMAllocationSize | |||
| ProductID | no | ||
| ProductName | no | ||
| ProtocolName | |||
| Release Channel | the update channel that the user is on | ? | |
| RemoteType | |||
| SafeMode | Was browser started in safemode or not | no | |
| SecondsSinceLastCrash | |||
| SheetLoadFailure | |||
| ShutdownProgress | |||
| StackTraces | no | ||
| StartupCrash | Is startup crash or not | no | |
| StartupTime | Browser start time | no | |
| SystemMemoryUsePercentage | |||
| TelemetrySessionId | |||
| TextureUsage | |||
| Theme | no | ||
| Throttleable | |||
| TlsAllocations | |||
| TopPendingIPCCount | |||
| TopPendingIPCName | |||
| TopPendingIPCType | |||
| TotalPageFile | |||
| TotalPhysicalMemory | |||
| TotalVirtualMemory | |||
| UptimeTS | length of time the process was running before it crashed. | no | |
| URL | The URL of site that the user was on | yes | |
| useragent_locale | the locale of software installation | ? | Could be used to find out country which user lives in |
| Vendor | no | ||
| Version | browser version | no | |
| Winsock_LSP |
There are the addition data in [#point4 TelemetryEnvironment] param
Test crash report that was sent by tor-browser-52.1.2esr-7.0-1 - [#point6 fa7fb436-091d-4178-9b1d-f1c5e1170719]
TODO things, ideas
-
Add feature to resend crash report if first attempt is fail;
-
Add checkbox "Include my Add-ons list" to crashreporter client UI
-
Generally, we should treat all information that differs from the standard fingerprint as private. And this also means that everything included in the standard fingerprint is the same for any instance, so it's useless to send that information.
-
But such restrictions make even Tor Browser version a private thing, which greatly reduce the usefulness of anonymized reports.
-
So, there might be some slider with options: anonymous, private, full (report). Because with your current table of items, only those, who don't care, will start to send crash reports.
Links
[=#point1 (1)] https://torcrashreporter.wordpress.com/2017/04/03/google-summer-of-code-proposal-crash-reporter-for-tor-browser/
[=#point2 (2)] https://torcrashreporter.files.wordpress.com/2017/05/final_proposal.pdf
[=#point3 (3)] https://github.com/nmago/tor-browser
[=#point4 (4)] https://nmago.github.io/te.html
[=#point6 (6)] https://crash-stats.mozilla.com/report/index/fa7fb436-091d-4178-9b1d-f1c5e1170719